Merge two events

[Inova]

Hi all,

I need some help for to manage java exceptions (multiline message).

I have one case in my filter which can detect if a message contains the word "at", which means that the current event is part of a java exception :

Code: Select all

grok {
    remove_tag => [ "_grokparsefailure" ]
    match => [ "message", "\[%{WORD}:%{USERNAME:server_name}\]%{GREEDYDATA:msg}at %{GREEDYDATA:msg}"]
    named_captures_only => true
}
if "_grokparsefailure" not in [tags] {
	mutate {
	replace => [ "type", "%{server_name}" ]
	replace => [ "severity_label", "ERROR"]
}

The first basic action I want to do now is : if I'm in this case, I want to merge the current event with the previous event (which should be related to the current) with no specific processing and no check, just merging.
Do you know a simple way to implement that ?

I already looked at the "multiline" filter in logstash, but it was unsuccessful and give me strange behaviors, I hope there is a more simple way to merge events.

Thanks in advance for your help and have a good day,
Quentin

[scottwilkerson]

You really need to create a new input and use the multiline coded on the input
http://logstash.net/docs/1.4.2/codecs/multiline